Home Knowledge Maintaining Confidentiality over Data Seized by Regulator

Maintaining Confidentiality over Data Seized by Regulator

In the recent decision of Commission For Communications Regulation v Eircom Limited [2024] IEHC 49, Twomey J in the High Court (Court) considered the effect of the statutory requirement on a regulator under the Communications Regulation Acts 2002 to 2023 (Act) of maintaining the confidentiality of a regulated entity’s information, which had been seized by the regulator when exercising its powers of search and seizure in a dawn raid.

Eircom Limited (Eircom) published details of a proposed discount scheme for its wholesale customers of fibre into homes and businesses. The Commission for Communications Regulation (ComReg) informed Eircom that the proposed scheme did not satisfy relevant regulatory requirements and raised concerns about competition, transparency, and price control issues. ComReg commenced an investigation under the Act. Over three days in May and June 2023, ComReg conducted an unannounced search of Eircom’s premises and seized copies of Eircom’s original digital data (Seized Data).

To continue its investigation, ComReg needed to access the Seized Data while at the same time respecting Eircom’s rights to confidentiality regarding any legally privileged or irrelevant information.  Accordingly, ComReg brought an application for the Court to approve its planned treatment of the Seized Data (Step Plan). ComReg did not have access to the Seized Data, pending the Court’s decision, as it was in “sealed evidence bags”.

The Step Plan

The Step Plan proposed a series of electronic word searches (Electronic Word Searches) of the Seized Data, in each case taking into account any submissions of Eircom regarding what search terms should be used, in order:

  • to search for file/domain names related, for example, to healthcare providers, airline reservations etc which are clearly personal and so to eliminate irrelevant information;
  • to search for domains, names, and email addresses of lawyers / law firms etc to eliminate privileged material; and
  • to use terms which will identify relevant material to the investigation.

After completing the Electronic Word Searches, ComReg would commence its analysis of the Seized Data.

The issue to be considered by the Court

Twomey J noted that:

the only real issue between the parties in this case, is not whether the search and seizure was lawful or whether the scope of the investigation is too wide, but rather it is who was going to conduct the Electronic Word Searches to eliminate privileged and irrelevant information from the Seized Data.

The key issue was whether the Electronic Word Searches were to be conducted by Eircom, the regulated entity which had its data seized, or by the regulator, ComReg, which had that data as a result of exercising its search and seizure powers.

Twomey J found that whilst the Act provides that the confidentiality of the regulated entity’s information is to be maintained, it is impossible to guarantee that the searches conducted by ComReg will remove all privileged and irrelevant information.

Twomey J listed the following points as relevant to deciding this issue:

  1. Regardless of who conducts the search, a very strict and literal interpretation of the Act as contended by Eircom, meant that confidentiality must be 100% guaranteed. This could never be the case, whether Eircom or ComRes conducted the Electronic Word Searches. With 323,832 documents to be searched, there will always be a risk that some privileged Eircom documents, or private or personal information of an Eircom employee, might be contained in one of the documents after the Electronic Word Searches has been completed. Just because ComReg cannot guarantee absolute confidentiality, this is not a reason for the Court to order Eircom to conduct the search, rather than ComReg. In other words, it was not clear to the Court that the literal and plain meaning of “confidentiality [is to] be maintained” is that confidentiality must be 100% guaranteed, as this is impossible.
  2. Interpreting the phrase “confidentiality [is to] be maintained” as meaning that confidentiality must be guaranteed (and so the Electronic Word Searches must be conducted by Eircom) is only possible if the phrase is read in isolation from the rest of the Act and without any consideration of its purpose.
  3. Where a search and seizure by a regulator is permitted by statute, the starting point is that the search of the seized data is done by the regulator, otherwise the very purpose of the statute is effectively set at nought. The context and purpose of the Act is very clear and specific and cannot be in doubt, since the very nature of a search and seizure is that it is conducted by the regulator. This is the context against which the expression “confidentiality [is to] be maintained” must be interpreted.

Twomey J concluded that the proposal put forward by ComReg, (i.e. that it should conduct the searches while seeking to maintain confidentiality, even though this cannot be 100% guaranteed for every single document), is the most consistent interpretation with the very clear and specific context and purpose of the Act.

Conclusion

The Court found that ComReg, as opposed to the regulated entity, should conduct the search of the Seized Data. Otherwise, the purpose of search and seizure powers by a regulator as part of its investigation would be undermined.

The Court approved the Step Plan, involving the use of Electronic Word Searches designed to eliminate privileged and irrelevant material from the Seized Data, subject to a small number of minor modifications. The Court also noted on a few occasions that it would have been preferable if Eircom had engaged with ComReg in identifying Electronic Word Searches that would eliminate privileged and / or irrelevant information.

The decision will have important practical implications for dawn raids and should inform the conduct of and engagement between regulators and regulated entities. The starting point is that the regulator should conduct the search to remove irrelevant and privileged information from any data seized.  However, given the regulated entity’s knowledge of and access to the original data, the Courts would expect them to contribute to that process.

The approach taken to the searching of the Seized Data in this case appears to have involved only the use of keyword searches to eliminate privileged and irrelevant material.  The decision highlights the advantages for organisations in adopting a structured approached to data storage and management.  This would include labelling or separating potentially privileged communications when generated, easing the task of identifying and segregating such data in circumstances such as arose in this case.

If you have any queries about dawn raids or the content of this article please contact Garrett Breen, Cormac Little, Deirdre O’Donovan, Joanne Ryan or your usual William Fry contact.

 

Contributed by Joanne Ryan, Orla Trant, Hannah Garvey